X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type
	:content-transfer-encoding; q=dns; s=default; b=BAIvy+FwlY60xKkZ
	+I7+ttI/txKjoc40gvDCczEpjn390N846OdC4lEEmQweI463Hq9hDGos+9B6douG
	I3nhpMFvPJJeL5ha8KQ4yeZW0kVvjDiBlGJWR+STwoDMJ73DrnPuyZjnP9D4Ua/8
	Qkg/cnin6WNYmXxZpBwSOy+Pacw=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type
	:content-transfer-encoding; s=default; bh=y956GNai/InyGCN44xYwGh
	MKXTQ=; b=PjM874I6q5SZZ60K2W2rG34N4M3/mLapmY+x54Vtxl6BIWmdKSViQt
	mz+TKsNKBprCFy+RPCtibR3jwfcHRmEJ7MxB+yZ+pDlO6L7+2804Ik2l8txzR6+k
	PxtJBcD0H4pIHRr6Z7UXz73xZ/JVAZ07BDAUykT9fPKlNXobSYtYs=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: Yes, score=5.1 required=5.0 tests=AWL,BAYES_50,NO_RELAYS,SPAM_SUBJECT autolearn=no version=3.3.2
X-HELO: mail-vc0-f177.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20130820;        h=x-gm-message-state:mime-version:in-reply-to:references:date         :message-id:subject:from:to:content-type:content-transfer-encoding;        bh=i5tu8x5gtYiffVF0kcMI2Mfx/zKFM+DpNHzeSF8C+E4=;        b=J23Y1fDcNUgDOXK4LNg0/cwpWrTQa23QwpG2a3bQzLkyVj5W5Q2Xdv8amsZ35md7sG         1EjXNIjwHt/F1YX9HS+E3JJnDJWs0FvJZqZ/PLnouS/6ytz90veZcnU91YHByPsgDboS         jCFqbQdp8zLbKtQN7yfwdRhBUW5fKDNXECODo/ER0QZRxjeL4lR0t9clX78iu+wOGEnC         hEmO9pDm12+U/znnILt/avO8wWhcQFmU/VmhBNAp/v2GVMX735kIDA/UxN42RLWAetR9         QJzPZZea6ILBL33RS/msu/LcWoLpE0/1wG3yKC6vS8HjCnU04kt3tpdi/F7E1ODwENZA         RJgg==
X-Gm-Message-State: ALoCoQlIaW2eLIqeJC83B2bo9Nd6ZVViZa5FR/rnBMLL46iadX+PDeqJaHCEgzgEyfX7eOxzYpN3
MIME-Version: 1.0
X-Received: by 10.52.107.226 with SMTP id hf2mr399381vdb.2.1380199023196; Thu, 26 Sep 2013 05:37:03 -0700 (PDT)
In-Reply-To: <CAJ1BO=UK-Pe8_4QkUb1g0m4ti94sqUwmC-4M90J3zYwCccn87g@mail.gmail.com>
References: <CAJ1BO=UK-Pe8_4QkUb1g0m4ti94sqUwmC-4M90J3zYwCccn87g AT mail DOT gmail DOT com>
Date: Thu, 26 Sep 2013 14:37:03 +0200
Message-ID: <CAJ1BO=XAwakF6upfotVWcNagmoDdSS7atXtJtaCz7o-YY9Z5ZA@mail.gmail.com>
Subject: Re: GSSAPI authentication and OpenSSH on Windows
From: =?ISO-8859-1?Q?Alf_H=E5kansson?= <alf DOT hakansson AT foxt DOT com>
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id r8QCbIWJ025939

Hello Ghis,
That might work but the user will not be logged on to the windows
machine. I.E. sshd will not be able to get hold of a security token
with the AD users context.
Going for that solution will only authenticate the user but when the
user gets the shell it will not be in the right context.

I think one needs to replace Heimdal/MIT Kerberos with the Windows
SSPI interface.

/Alf



Hi Alf,

Seems we both are close to a solution, but I didn't do any progress on
this issue on my side.

Your statement regarding ktpass for the keytab generation confirms my
initial fears...

I searched a little more on this this morning and I stumble upon this:
 http://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html.

Basically, it says that setting GSSAPIStrictAcceptorCheck to no in
sshd_config wil make sshd.exe use the first entry in the keytab,
regardless of the principal name.  So, theoretically, we could
generate a keytab containing any principal name at sshd.exe would use
this happily.

Unfortunately, it seems this configuration directive is not supported
by the offical OpenSSH release.  This article mentions a certain patch
that should do the trick:
http://www.gossamer-threads.com/lists/openssh/dev/44429...

The only thing left to do/try, is to get a hand on the OpenSSH
sources, on the patch and try to rebuild OpenSSH.

Anyone could help in doing this?  Just provinding pointers on howtos
would be great! ;o)

Thank you!

Ghis


On Wed, Sep 18, 2013 at 3:55 PM, Alf Håkansson <alf DOT hakansson AT foxt DOT com> wrote:
> Hello!
>
> I am trying to get Kerberos authentication to work with openssh on a
> Windows machine that is part of a windows domain.
> I have read all I could find on the internet about this issue but no
> one seems to have succeeded.
>
> OpenSSH is built with the Heimdal package.
>
> There is a post that pretty well describes all the steps to take to
> get it to work (but it does not)
> http://cygwin.org/ml/cygwin/2013-08/msg00386.html
> As I subscribed after that post I have no idea how to reply to it.
>
> The problem occurs when I am making the keytab file with help of ktpass.exe.
>  I need the principal HOST/myhost.whatever.com
> Thing is that the machine itself is already registered with that
> principal and as the Domain Controler only can have one entry for that
> principal the machine will be deregistered and you can no longer logon
> with a domain user to the console.
>
> So please if anyone has any experience in this topic let me know!
>
> /Alf

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple